#13347: XSS Attack prevention using HttpOnly
----------------------------+-----------------------------------------------
Reporter: Ciantic | Owner: nobody
Status: new | Milestone:
Component: Authentication | Version: 1.1
Keywords: security xss | Stage: Unreviewed
Has_patch: 0 |
----------------------------+-----------------------------------------------
I've just read about [http://www.codinghorror.com/blog/2008/08/protecting-
your-cookies-httponly.html Cookie setting called "HttpOnly"], to me it
seems like Django authentication and sessionid's should use that.
Currently Django logs in like this (Live HTTP Headers):
{{{
Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-
Age=1209600; Path=/
}}}
After that hardening it would work like this:
{{{
Set-Cookie: sessionid=???; expires=Wed, 28-Apr-2010 17:48:38 GMT; Max-
Age=1209600; Path=/; HttpOnly
}}}
It could be option if someone ''really needs the session id'' in the
javascript, maybe 99.9% of cases one never retrieves sessionid cookie by
javascript so it would be wise to make this ''HttpOnly'' as default.
--
Ticket URL: <http://code.djangoproject.com/ticket/13347>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
